This RFC says that "the goal of the architecture is to provide various security services for traffic at the IP layer, in both the IPv4 and IPv6 environments." See also RFC 2402, RFC 2406 and RFC 2407 for more details on IPSec.

The main purpose of IPSec is to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. It offers various security services at the IP layer and therefore, offers protection at this (i.e. IP) and higher layers. These security services are, for example, access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.

Encryption that can be deployed in standalone environments between clients, routers, and firewalls

Environments where it's used in conjunction with L2TP tunneling

From usage point of view, here are three main advantages of IPSec:

Supported on various operating system platforms

Right VPN solution, if you want true data confidentiality for your networks.

Open standard, so interoperability between different devices is easy to implement

Technical Details:

IPSec has two different modes: Transport mode (host-to-host) and Tunnel Mode (Gateway-to-Gateway or Gateway-to-host). In transport mode, the payload is encapsulated (header is left intact) and the end-host (to which, the IP packet is addressed) decapsulates the packet. In the tunnel mode, the IP packet is entirely encapsulated (with a new header). The host (or gateway), specified in the new IP header, decapsulates the packet. Note that, in tunnel mode, there is no need for client software to run on the gateway and the communication between client systems and gateways are not protected.

IPSec standard supports the following features:

AH (Authentication Header) that provides authenticity guarantee for transported packets. This is done by check-summing the packages using a cryptographic algorithm.

IPSec traditionally implements secure remote access connections using virtual private network (VPN) tunneling protocols such as Layer 2 Tunneling Protocol (L2TP). Note that IPSec is not really a VPN mechanism. In fact, the use of IPSec is changing n the last few years, since IPSec is moving from the WAN into the LAN to secure internal network traffic against eavesdropping and modification.

When two computers (peers) want to communicate using IPSec, they mutually authenticate with each other first and then negotiate how to encrypt and digitally sign traffic they exchange. These IPSec communication sessions are called security associations (SAs).

Native Support for IPSEC

The term Native IPsec is used to describe the implementation scheme of IPsec integration into the native IP (implementation). It requires access to the IP source code and applies to both hosts and security gateways. Native IPsec support is only available in Linux 2.6.x kernels. Here the (OS) kernel maintains the Security Policy Database (SPD). This SPD defines which traffic is to be encrypted, which mode (transport and tunnel) and the end-points.

IPSec in IPv6 and why it's important

IPsec is a mandatory component for IPv6, and therefore, the IPsec security model is required to be supported for all IPv6 implementations in near future. In IPv6, IPsec is implemented using the AH authentication header and the ESP extension header. Since at the present moment, IPv4 IPsec is available in nearly all client and server OS platforms, the IPSec IPv6 advanced security can be deployed by IT administrators immediately, without changing applications or networks. The importance of IPsec in IPv6 has grown in recent years as U.S. Department of Defense and federal government have mandates to buy IPv6-capable systems and to transition to IPv6-capable networks within a few years,